Network Address Translation translates your local or private IP addresses to public IP addresses so you can communicate with the internet world.
Why NAT? Because its expensive to buy public IP addresses to each and every computer in a network.
Types of NAT:
Static NAT: This is like one-to-one i.e. your one particular private ip address is always translated to one dedicated public ip address.
Dynamic NAT: This is like many-to-many. Your list of private ip addresses are translated to a pool of public addresses, a public ip dynamically picked from that pool for your private ip addresses.
PAT-Port Address Translation: This is like one to many. Your list of private ip addresses are translated to one public ip address. This uses source port no. of your local network to differentiate individual hosts or computers in your local network. This is also called NAT Overload.
Lab:
Local router:
f0/0 - desktop
f0/1 - vpcs1
s1/0 - border router
Border router:
s1/0 - local router
s1/1 - isp router
Isp router:
s1/1 - border router and f0/0 - vpcs2
Local router configuration:
Border router configuration:
Isp router Configuration:
Vpcs Configuration:
- Desktop( MS Loop back Adapter) gets 10.0.0.2 255.255.255.252, GW: 10.0.0.1, DNS: 10.0.0.1
- We will use EIGRP in Local and Border routers for routing protocol, so that desktop and vpcs can communicate with Border router via Local router. We will configure them both routers in Autonomous system no 10 so they become neighbours and exchange topology database.
local(config)#router eigrp 10
local(config-router)#network 10.0.0.0
local(config-router)#network 10.0.0.0
- Border router should be able to communicate with both public and private networks. With Eigrp, border router is already communicating with our local networks. In real world, all local computers connect to border router and border router knows how to get to ISP router, these settings are given by ISP provider. For this lab, we will need to configure border router ourselves, it needs to know the routes. We can use any routing protocol but because we only have one network 99.0.1.0 to be included in the routing table, since 99.0.0.0 is directly connected, lets use static routing.
border(config)#router eigrp 10
border(config-router)#network 10.0.0.0
border(config-router)#network 99.0.0.0
border(config)#ip route 99.0.1.0 255.255.255.252 99.0.0.2
border(config)#ip default-network 99.0.0.0
border(config-router)#network 10.0.0.0
border(config-router)#network 99.0.0.0
border(config)#ip route 99.0.1.0 255.255.255.252 99.0.0.2
border(config)#ip default-network 99.0.0.0
- I also used 'ip default-network' command so EIGRP can adveterise it to local router.
- With all the above setup we should be able to succefully ping within our local network and within our public i.e. 99.0.0.0 and 99.0.1.0 network. But we can not ping from local network to public network and thats where NAT comes into picture. NAT will translate our local ip addresses to public ip address so we can communicate with our public networks. We are going to implement NAT overload or PAT in our border router.
border(config)#ip nat pool test 99.0.0.1 99.0.0.1 netmast 255.255.255.252
border(config)# access-list 10 permit 10.0.0.0 0.0.255.255
border(config)# ip nat inside source list 10 pool test overload
border(config)# access-list 10 permit 10.0.0.0 0.0.255.255
border(config)# ip nat inside source list 10 pool test overload
- First line creates a pool called 'test' with a range of public addresses. In this case only 99.0.0.1 because we're implementing NAT overload i.e. many-to-one. However, we can use more than one public IP.
- Second line creates a list of our local addresses identified by no. '10' with 'permit' option.
- Third line tells NAT to translate inside addresses that are specified in list no. 10 to addresses in pool named 'test', the 'overload' tells NAT to use port no.'s to identify a particular host in the local network.
- Now we're left configuring interfaces as belonging to inside network or outside network in our border router. In this lab, s1/0 of border router belongs to inside network and s1/1 to the outside.
border(config)#int s1/0
border(config-if)# ip nat inside
border(config-if)#int s1/1
border(config-if)#ip nat outside
border(config-if)# ip nat inside
border(config-if)#int s1/1
border(config-if)#ip nat outside
Verification:
References:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml